From bd009cf10f4ff89ad37a146406ffc71a512523fc Mon Sep 17 00:00:00 2001 From: Ivo Kubjas Date: Wed, 11 Oct 2023 15:38:14 +0200 Subject: [PATCH 1/5] chore: dereferences in fields_bn254 --- .../emulated/fields_bn254/e12_pairing.go | 39 ++++++++++--------- 1 file changed, 21 insertions(+), 18 deletions(-) diff --git a/std/algebra/emulated/fields_bn254/e12_pairing.go b/std/algebra/emulated/fields_bn254/e12_pairing.go index 678b438eb8..257f7d640f 100644 --- a/std/algebra/emulated/fields_bn254/e12_pairing.go +++ b/std/algebra/emulated/fields_bn254/e12_pairing.go @@ -82,7 +82,7 @@ func (e *Ext12) Square034(x *E12) *E12 { B2: *e.Ext2.Zero(), } - c3 := E6{ + c3 := &E6{ B0: x.C0.B0, B1: *e.Ext2.Neg(&x.C1.B0), B2: *e.Ext2.Neg(&x.C1.B1), @@ -93,8 +93,8 @@ func (e *Ext12) Square034(x *E12) *E12 { B1: x.C1.B1, B2: *e.Ext2.Zero(), } - c3 = *e.MulBy01(&c3, &c0.B0, &c0.B1) - c3 = *e.Ext6.Add(&c3, &c2) + c3 = e.MulBy01(c3, &c0.B0, &c0.B1) + c3 = e.Ext6.Add(c3, &c2) var z E12 z.C1.B0 = *e.Ext2.Add(&c2.B0, &c2.B0) @@ -116,16 +116,15 @@ func (e *Ext12) Square034(x *E12) *E12 { func (e *Ext12) MulBy034(z *E12, c3, c4 *E2) *E12 { a := z.C0 - b := z.C1 - b = *e.MulBy01(&b, c3, c4) + b := e.MulBy01(&z.C1, c3, c4) c3 = e.Ext2.Add(e.Ext2.One(), c3) d := e.Ext6.Add(&z.C0, &z.C1) d = e.MulBy01(d, c3, c4) - zC1 := e.Ext6.Add(&a, &b) + zC1 := e.Ext6.Add(&a, b) zC1 = e.Ext6.Neg(zC1) zC1 = e.Ext6.Add(zC1, d) - zC0 := e.Ext6.MulByNonResidue(&b) + zC0 := e.Ext6.MulByNonResidue(b) zC0 = e.Ext6.Add(zC0, &a) return &E12{ @@ -147,7 +146,7 @@ func (e *Ext12) MulBy034(z *E12, c3, c4 *E2) *E12 { // C0: E6{B0: 1, B1: 0, B2: 0}, // C1: E6{B0: d3, B1: d4, B2: 0}, // } -func (e *Ext12) Mul034By034(d3, d4, c3, c4 *E2) *[5]E2 { +func (e *Ext12) Mul034By034(d3, d4, c3, c4 *E2) [5]*E2 { x3 := e.Ext2.Mul(c3, d3) x4 := e.Ext2.Mul(c4, d4) x04 := e.Ext2.Add(c4, d4) @@ -165,7 +164,7 @@ func (e *Ext12) Mul034By034(d3, d4, c3, c4 *E2) *[5]E2 { zC1B0 := x03 zC1B1 := x04 - return &[5]E2{*zC0B0, *zC0B1, *zC0B2, *zC1B0, *zC1B1} + return [5]*E2{zC0B0, zC0B1, zC0B2, zC1B0, zC1B1} } // MulBy01234 multiplies z by an E12 sparse element of the form @@ -174,14 +173,14 @@ func (e *Ext12) Mul034By034(d3, d4, c3, c4 *E2) *[5]E2 { // C0: E6{B0: c0, B1: c1, B2: c2}, // C1: E6{B0: c3, B1: c4, B2: 0}, // } -func (e *Ext12) MulBy01234(z *E12, x *[5]E2) *E12 { - c0 := &E6{B0: x[0], B1: x[1], B2: x[2]} - c1 := &E6{B0: x[3], B1: x[4], B2: *e.Ext2.Zero()} +func (e *Ext12) MulBy01234(z *E12, x [5]*E2) *E12 { + c0 := &E6{B0: *x[0], B1: *x[1], B2: *x[2]} + c1 := &E6{B0: *x[3], B1: *x[4], B2: *e.Ext2.Zero()} a := e.Ext6.Add(&z.C0, &z.C1) b := e.Ext6.Add(c0, c1) a = e.Ext6.Mul(a, b) b = e.Ext6.Mul(&z.C0, c0) - c := e.Ext6.MulBy01(&z.C1, &x[3], &x[4]) + c := e.Ext6.MulBy01(&z.C1, x[3], x[4]) z1 := e.Ext6.Sub(a, b) z1 = e.Ext6.Sub(z1, c) z0 := e.Ext6.MulByNonResidue(c) @@ -205,13 +204,13 @@ func (e *Ext12) MulBy01234(z *E12, x *[5]E2) *E12 { // C0: E6{B0: 1, B1: 0, B2: 0}, // C1: E6{B0: z3, B1: z4, B2: 0}, // } -func (e *Ext12) Mul01234By034(x *[5]E2, z3, z4 *E2) *E12 { - c0 := &E6{B0: x[0], B1: x[1], B2: x[2]} - c1 := &E6{B0: x[3], B1: x[4], B2: *e.Ext2.Zero()} +func (e *Ext12) Mul01234By034(x [5]*E2, z3, z4 *E2) *E12 { + c0 := &E6{B0: *x[0], B1: *x[1], B2: *x[2]} + c1 := &E6{B0: *x[3], B1: *x[4], B2: *e.Ext2.Zero()} a := e.Ext6.Add(e.Ext6.One(), &E6{B0: *z3, B1: *z4, B2: *e.Ext2.Zero()}) b := e.Ext6.Add(c0, c1) a = e.Ext6.Mul(a, b) - c := e.Ext6.Mul01By01(z3, z4, &x[3], &x[4]) + c := e.Ext6.Mul01By01(z3, z4, x[3], x[4]) z1 := e.Ext6.Sub(a, c0) z1 = e.Ext6.Sub(z1, c) z0 := e.Ext6.MulByNonResidue(c) @@ -263,7 +262,11 @@ func (e Ext12) DecompressTorus(y *E6) *E12 { // N.B.: we use MulTorus in the final exponentiation throughout y1 ≠ -y2 always. func (e Ext12) MulTorus(y1, y2 *E6) *E6 { n := e.Ext6.Mul(y1, y2) - n.B1 = *e.Ext2.Add(&n.B1, e.Ext2.One()) + n = &E6{ + B0: n.B0, + B1: *e.Ext2.Add(&n.B1, e.Ext2.One()), + B2: n.B2, + } d := e.Ext6.Add(y1, y2) y3 := e.Ext6.DivUnchecked(n, d) return y3 From 3fb70af799d4feb9e6d49273a69397c6b93727ca Mon Sep 17 00:00:00 2001 From: Ivo Kubjas Date: Wed, 11 Oct 2023 15:39:57 +0200 Subject: [PATCH 2/5] chore: dereferences in fields_bls12381 --- .../emulated/fields_bls12381/e12_pairing.go | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/std/algebra/emulated/fields_bls12381/e12_pairing.go b/std/algebra/emulated/fields_bls12381/e12_pairing.go index c096b0d2fd..1810557e14 100644 --- a/std/algebra/emulated/fields_bls12381/e12_pairing.go +++ b/std/algebra/emulated/fields_bls12381/e12_pairing.go @@ -80,8 +80,7 @@ func (e Ext12) ExptTorus(x *E6) *E6 { // } func (e *Ext12) MulBy014(z *E12, c0, c1 *E2) *E12 { - a := z.C0 - a = *e.MulBy01(&a, c0, c1) + a := e.MulBy01(&z.C0, c0, c1) var b E6 // Mul by E6{0, 1, 0} @@ -94,10 +93,10 @@ func (e *Ext12) MulBy014(z *E12, c0, c1 *E2) *E12 { zC1 := e.Ext6.Add(&z.C1, &z.C0) zC1 = e.Ext6.MulBy01(zC1, c0, d) - zC1 = e.Ext6.Sub(zC1, &a) + zC1 = e.Ext6.Sub(zC1, a) zC1 = e.Ext6.Sub(zC1, &b) zC0 := e.Ext6.MulByNonResidue(&b) - zC0 = e.Ext6.Add(zC0, &a) + zC0 = e.Ext6.Add(zC0, a) return &E12{ C0: *zC0, @@ -118,7 +117,7 @@ func (e *Ext12) MulBy014(z *E12, c0, c1 *E2) *E12 { // C0: E6{B0: d0, B1: d1, B2: 0}, // C1: E6{B0: 0, B1: 1, B2: 0}, // } -func (e Ext12) Mul014By014(d0, d1, c0, c1 *E2) *[5]E2 { +func (e Ext12) Mul014By014(d0, d1, c0, c1 *E2) [5]*E2 { one := e.Ext2.One() x0 := e.Ext2.Mul(c0, d0) x1 := e.Ext2.Mul(c1, d1) @@ -141,7 +140,7 @@ func (e Ext12) Mul014By014(d0, d1, c0, c1 *E2) *[5]E2 { zC0B0 := e.Ext2.NonResidue() zC0B0 = e.Ext2.Add(zC0B0, x0) - return &[5]E2{*zC0B0, *x01, *x1, *x04, *x14} + return [5]*E2{zC0B0, x01, x1, x04, x14} } // MulBy01245 multiplies z by an E12 sparse element of the form @@ -150,14 +149,14 @@ func (e Ext12) Mul014By014(d0, d1, c0, c1 *E2) *[5]E2 { // C0: E6{B0: c0, B1: c1, B2: c2}, // C1: E6{B0: 0, B1: c4, B2: c5}, // } -func (e *Ext12) MulBy01245(z *E12, x *[5]E2) *E12 { - c0 := &E6{B0: x[0], B1: x[1], B2: x[2]} - c1 := &E6{B0: *e.Ext2.Zero(), B1: x[3], B2: x[4]} +func (e *Ext12) MulBy01245(z *E12, x [5]*E2) *E12 { + c0 := &E6{B0: *x[0], B1: *x[1], B2: *x[2]} + c1 := &E6{B0: *e.Ext2.Zero(), B1: *x[3], B2: *x[4]} a := e.Ext6.Add(&z.C0, &z.C1) b := e.Ext6.Add(c0, c1) a = e.Ext6.Mul(a, b) b = e.Ext6.Mul(&z.C0, c0) - c := e.Ext6.MulBy12(&z.C1, &x[3], &x[4]) + c := e.Ext6.MulBy12(&z.C1, x[3], x[4]) z1 := e.Ext6.Sub(a, b) z1 = e.Ext6.Sub(z1, c) z0 := e.Ext6.MulByNonResidue(c) From 5524baef1a4a1344739d1104c0188b483faf7050 Mon Sep 17 00:00:00 2001 From: Ivo Kubjas Date: Thu, 12 Oct 2023 00:20:15 +0200 Subject: [PATCH 3/5] chore: dereferences in sw_bn254 --- std/algebra/emulated/sw_bn254/pairing.go | 284 ++++++++++++++--------- 1 file changed, 178 insertions(+), 106 deletions(-) diff --git a/std/algebra/emulated/sw_bn254/pairing.go b/std/algebra/emulated/sw_bn254/pairing.go index a11fb80bb8..c62b624070 100644 --- a/std/algebra/emulated/sw_bn254/pairing.go +++ b/std/algebra/emulated/sw_bn254/pairing.go @@ -151,7 +151,10 @@ func (pr Pairing) finalExponentiation(e *GTEl, unsafe bool) *GTEl { // the case, the result is 1 in the torus. We assign a dummy value (1) to e.C1 // and proceed further. selector1 = pr.Ext6.IsZero(&e.C1) - e.C1 = *pr.Ext6.Select(selector1, _dummy, &e.C1) + e = &fields_bn254.E12{ + C0: e.C0, + C1: *pr.Ext6.Select(selector1, _dummy, &e.C1), + } } // Torus compression absorbed: @@ -329,7 +332,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { } res := pr.Ext12.One() - var prodLines [5]fields_bn254.E2 + var prodLines [5]*fields_bn254.E2 var l1, l2 *lineEvaluation Qacc := make([]*G2Affine, n) @@ -358,8 +361,14 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // (assign line to res) Qacc[0], l1 = pr.doubleStep(Qacc[0]) // line evaluation at P[0] - res.C1.B0 = *pr.MulByElement(&l1.R0, xNegOverY[0]) - res.C1.B1 = *pr.MulByElement(&l1.R1, yInv[0]) + res = &fields_bn254.E12{ + C0: res.C0, + C1: fields_bn254.E6{ + B0: *pr.MulByElement(&l1.R0, xNegOverY[0]), + B1: *pr.MulByElement(&l1.R1, yInv[0]), + B2: res.C1.B2, + }, + } if n >= 2 { // k = 1, separately to avoid MulBy034 (res × ℓ) @@ -367,16 +376,25 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[1], l1 = pr.doubleStep(Qacc[1]) // line evaluation at P[1] - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY[1]) - l1.R1 = *pr.MulByElement(&l1.R1, yInv[1]) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY[1]), + R1: *pr.MulByElement(&l1.R1, yInv[1]), + } // ℓ × res - prodLines = *pr.Mul034By034(&l1.R0, &l1.R1, &res.C1.B0, &res.C1.B1) - res.C0.B0 = prodLines[0] - res.C0.B1 = prodLines[1] - res.C0.B2 = prodLines[2] - res.C1.B0 = prodLines[3] - res.C1.B1 = prodLines[4] + prodLines = pr.Mul034By034(&l1.R0, &l1.R1, &res.C1.B0, &res.C1.B1) + res = &fields_bn254.E12{ + C0: fields_bn254.E6{ + B0: *prodLines[0], + B1: *prodLines[1], + B2: *prodLines[2], + }, + C1: fields_bn254.E6{ + B0: *prodLines[3], + B1: *prodLines[4], + B2: res.C1.B2, + }, + } } if n >= 3 { @@ -385,11 +403,13 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[2], l1 = pr.doubleStep(Qacc[2]) // line evaluation at P[1] - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY[2]) - l1.R1 = *pr.MulByElement(&l1.R1, yInv[2]) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY[2]), + R1: *pr.MulByElement(&l1.R1, yInv[2]), + } // ℓ × res - res = pr.Mul01234By034(&prodLines, &l1.R0, &l1.R1) + res = pr.Mul01234By034(prodLines, &l1.R0, &l1.R1) // k >= 3 for k := 3; k < n; k++ { @@ -397,8 +417,10 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[k], l1 = pr.doubleStep(Qacc[k]) // line evaluation at P[k] - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY[k]) - l1.R1 = *pr.MulByElement(&l1.R1, yInv[k]) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l1.R1, yInv[k]), + } // ℓ × res res = pr.MulBy034(res, &l1.R0, &l1.R1) @@ -420,21 +442,25 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { l2 = pr.lineCompute(Qacc[k], QNeg[k]) // line evaluation at P[k] - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY[k]) - l2.R1 = *pr.MulByElement(&l2.R1, yInv[k]) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l2.R1, yInv[k]), + } // Qacc[k] ← Qacc[k]+Q[k] and // l1 the line ℓ passing Qacc[k] and Q[k] Qacc[k], l1 = pr.addStep(Qacc[k], Q[k]) // line evaluation at P[k] - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY[k]) - l1.R1 = *pr.MulByElement(&l1.R1, yInv[k]) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l1.R1, yInv[k]), + } // ℓ × ℓ - prodLines = *pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) + prodLines = pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) } l1s := make([]*lineEvaluation, n) @@ -452,8 +478,10 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[k], l1s[k] = pr.doubleStep(Qacc[k]) // line evaluation at P[k] - l1s[k].R0 = *pr.MulByElement(&l1s[k].R0, xNegOverY[k]) - l1s[k].R1 = *pr.MulByElement(&l1s[k].R1, yInv[k]) + l1s[k] = &lineEvaluation{ + R0: *pr.MulByElement(&l1s[k].R0, xNegOverY[k]), + R1: *pr.MulByElement(&l1s[k].R1, yInv[k]), + } } @@ -468,9 +496,9 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // mul lines 2-by-2 for k := 1; k < n; k += 2 { // ℓ × ℓ - prodLines = *pr.Mul034By034(&l1s[k].R0, &l1s[k].R1, &l1s[k-1].R0, &l1s[k-1].R1) + prodLines = pr.Mul034By034(&l1s[k].R0, &l1s[k].R1, &l1s[k-1].R0, &l1s[k-1].R1) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) } @@ -482,17 +510,21 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[k], l1, l2 = pr.doubleAndAddStep(Qacc[k], Q[k]) // line evaluation at P[k] - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY[k]) - l1.R1 = *pr.MulByElement(&l1.R1, yInv[k]) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l1.R1, yInv[k]), + } // line evaluation at P[k] - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY[k]) - l2.R1 = *pr.MulByElement(&l2.R1, yInv[k]) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l2.R1, yInv[k]), + } // ℓ × ℓ - prodLines = *pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) + prodLines = pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) } @@ -504,17 +536,21 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Qacc[k], l1, l2 = pr.doubleAndAddStep(Qacc[k], QNeg[k]) // line evaluation at P[k] - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY[k]) - l1.R1 = *pr.MulByElement(&l1.R1, yInv[k]) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l1.R1, yInv[k]), + } // line evaluation at P[k] - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY[k]) - l2.R1 = *pr.MulByElement(&l2.R1, yInv[k]) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l2.R1, yInv[k]), + } // ℓ × ℓ - prodLines = *pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) + prodLines = pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) } @@ -527,34 +563,46 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { Q1, Q2 := new(G2Affine), new(G2Affine) for k := 0; k < n; k++ { //Q1 = π(Q) - Q1.X = *pr.Ext2.Conjugate(&Q[k].X) - Q1.X = *pr.Ext2.MulByNonResidue1Power2(&Q1.X) - Q1.Y = *pr.Ext2.Conjugate(&Q[k].Y) - Q1.Y = *pr.Ext2.MulByNonResidue1Power3(&Q1.Y) + Q1X := pr.Ext2.Conjugate(&Q[k].X) + Q1X = pr.Ext2.MulByNonResidue1Power2(Q1X) + Q1Y := pr.Ext2.Conjugate(&Q[k].Y) + Q1Y = pr.Ext2.MulByNonResidue1Power3(Q1Y) + Q1 = &G2Affine{ + X: *Q1X, + Y: *Q1Y, + } // Q2 = -π²(Q) - Q2.X = *pr.Ext2.MulByNonResidue2Power2(&Q[k].X) - Q2.Y = *pr.Ext2.MulByNonResidue2Power3(&Q[k].Y) - Q2.Y = *pr.Ext2.Neg(&Q2.Y) + + Q2Y := pr.Ext2.MulByNonResidue2Power3(&Q[k].Y) + Q2Y = pr.Ext2.Neg(Q2Y) + Q2 = &G2Affine{ + X: *pr.Ext2.MulByNonResidue2Power2(&Q[k].X), + Y: *Q2Y, + } // Qacc[k] ← Qacc[k]+π(Q) and // l1 the line passing Qacc[k] and π(Q) Qacc[k], l1 = pr.addStep(Qacc[k], Q1) // line evaluation at P[k] - l1.R0 = *pr.Ext2.MulByElement(&l1.R0, xNegOverY[k]) - l1.R1 = *pr.Ext2.MulByElement(&l1.R1, yInv[k]) + l1 = &lineEvaluation{ + R0: *pr.Ext2.MulByElement(&l1.R0, xNegOverY[k]), + R1: *pr.Ext2.MulByElement(&l1.R1, yInv[k]), + } // l2 the line passing Qacc[k] and -π²(Q) l2 = pr.lineCompute(Qacc[k], Q2) // line evaluation at P[k] - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY[k]) - l2.R1 = *pr.MulByElement(&l2.R1, yInv[k]) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l2.R1, yInv[k]), + } // ℓ × ℓ - prodLines = *pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) + prodLines = pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) } @@ -752,14 +800,14 @@ func (pr Pairing) MillerLoopFixedQ(P *G1Affine) (*GTEl, error) { res = pr.Square034(res) // lines evaluations at P // and ℓ × ℓ - prodLines := *pr.Mul034By034( + prodLines := pr.Mul034By034( pr.MulByElement(&pr.lines[0][63], xOverY), pr.MulByElement(&pr.lines[1][63], yInv), pr.MulByElement(&pr.lines[2][63], xOverY), pr.MulByElement(&pr.lines[3][63], yInv), ) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) for i := 62; i >= 0; i-- { res = pr.Square(res) @@ -775,14 +823,14 @@ func (pr Pairing) MillerLoopFixedQ(P *G1Affine) (*GTEl, error) { } else { // lines evaluations at P // and ℓ × ℓ - prodLines := *pr.Mul034By034( + prodLines := pr.Mul034By034( pr.MulByElement(&pr.lines[0][i], xOverY), pr.MulByElement(&pr.lines[1][i], yInv), pr.MulByElement(&pr.lines[2][i], xOverY), pr.MulByElement(&pr.lines[3][i], yInv), ) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) } } @@ -790,14 +838,14 @@ func (pr Pairing) MillerLoopFixedQ(P *G1Affine) (*GTEl, error) { // Compute ℓ_{[6x₀+2]Q,π(Q)}(P) · ℓ_{[6x₀+2]Q+π(Q),-π²(Q)}(P) // lines evaluations at P // and ℓ × ℓ - prodLines = *pr.Mul034By034( + prodLines = pr.Mul034By034( pr.MulByElement(&pr.lines[0][65], xOverY), pr.MulByElement(&pr.lines[1][65], yInv), pr.MulByElement(&pr.lines[0][66], xOverY), pr.MulByElement(&pr.lines[1][66], yInv), ) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) return res, nil } @@ -807,7 +855,7 @@ func (pr Pairing) MillerLoopFixedQ(P *G1Affine) (*GTEl, error) { func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, error) { res := pr.Ext12.One() - var prodLines [5]fields_bn254.E2 + var prodLines [5]*fields_bn254.E2 var l1, l2 *lineEvaluation var Qacc, QNeg *G2Affine Qacc = Q @@ -827,18 +875,20 @@ func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, er Qacc, l1 = pr.doubleStep(Qacc) // line evaluation at P - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY) - l1.R1 = *pr.MulByElement(&l1.R1, yInv) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY), + R1: *pr.MulByElement(&l1.R1, yInv), + } // precomputed-ℓ × ℓ - prodLines = *pr.Mul034By034( + prodLines = pr.Mul034By034( &l1.R0, &l1.R1, pr.MulByElement(&pr.lines[0][64], x2OverY2), pr.MulByElement(&pr.lines[1][64], y2Inv), ) // (precomputed-ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) // i = 63, separately to avoid a doubleStep // (at this point Qacc = 2Q, so 2Qacc-Q=3Q is equivalent to Qacc+Q=3Q @@ -848,31 +898,35 @@ func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, er l2 = pr.lineCompute(Qacc, QNeg) // line evaluation at P - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY) - l2.R1 = *pr.MulByElement(&l2.R1, yInv) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY), + R1: *pr.MulByElement(&l2.R1, yInv), + } // Qacc ← Qacc+Q and // l1 the line ℓ passing Qacc and Q Qacc, l1 = pr.addStep(Qacc, Q) // line evaluation at P - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY) - l1.R1 = *pr.MulByElement(&l1.R1, yInv) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY), + R1: *pr.MulByElement(&l1.R1, yInv), + } // ℓ × ℓ - prodLines = *pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) + prodLines = pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) // precomputed-ℓ × precomputed-ℓ - prodLines = *pr.Mul034By034( + prodLines = pr.Mul034By034( pr.MulByElement(&pr.lines[0][63], x2OverY2), pr.MulByElement(&pr.lines[1][63], y2Inv), pr.MulByElement(&pr.lines[2][63], x2OverY2), pr.MulByElement(&pr.lines[3][63], y2Inv), ) // (precomputed-ℓ × precomputed-ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) // Compute ∏ᵢ { fᵢ_{6x₀+2,Q}(P) } for i := 62; i >= 0; i-- { @@ -887,29 +941,31 @@ func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, er Qacc, l1 = pr.doubleStep(Qacc) // line evaluation at P - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY) - l1.R1 = *pr.MulByElement(&l1.R1, yInv) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY), + R1: *pr.MulByElement(&l1.R1, yInv), + } // precomputed-ℓ × ℓ - prodLines = *pr.Mul034By034( + prodLines = pr.Mul034By034( &l1.R0, &l1.R1, pr.MulByElement(&pr.lines[0][i], x2OverY2), pr.MulByElement(&pr.lines[1][i], y2Inv), ) // (precomputed-ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) case 1: // precomputed-ℓ × precomputed-ℓ - prodLines = *pr.Mul034By034( + prodLines = pr.Mul034By034( pr.MulByElement(&pr.lines[0][i], x2OverY2), pr.MulByElement(&pr.lines[1][i], y2Inv), pr.MulByElement(&pr.lines[2][i], x2OverY2), pr.MulByElement(&pr.lines[3][i], y2Inv), ) // (precomputed-ℓ × precomputed-ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) // Qacc ← 2Qacc+Q, // l1 the line ℓ passing Qacc and Q @@ -917,28 +973,32 @@ func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, er Qacc, l1, l2 = pr.doubleAndAddStep(Qacc, Q) // line evaluation at P - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY) - l1.R1 = *pr.MulByElement(&l1.R1, yInv) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY), + R1: *pr.MulByElement(&l1.R1, yInv), + } // line evaluation at P - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY) - l2.R1 = *pr.MulByElement(&l2.R1, yInv) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY), + R1: *pr.MulByElement(&l2.R1, yInv), + } // ℓ × ℓ - prodLines = *pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) + prodLines = pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) case -1: // precomputed-ℓ × precomputed-ℓ - prodLines = *pr.Mul034By034( + prodLines = pr.Mul034By034( pr.MulByElement(&pr.lines[0][i], x2OverY2), pr.MulByElement(&pr.lines[1][i], y2Inv), pr.MulByElement(&pr.lines[2][i], x2OverY2), pr.MulByElement(&pr.lines[3][i], y2Inv), ) // (precomputed-ℓ × precomputed-ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) // Qacc ← 2Qacc-Q, // l1 the line ℓ passing Qacc and -Q @@ -946,17 +1006,21 @@ func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, er Qacc, l1, l2 = pr.doubleAndAddStep(Qacc, QNeg) // line evaluation at P - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY) - l1.R1 = *pr.MulByElement(&l1.R1, yInv) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY), + R1: *pr.MulByElement(&l1.R1, yInv), + } // line evaluation at P - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY) - l2.R1 = *pr.MulByElement(&l2.R1, yInv) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY), + R1: *pr.MulByElement(&l2.R1, yInv), + } // ℓ × ℓ - prodLines = *pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) + prodLines = pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) default: return nil, errors.New("invalid loopCounter") @@ -966,44 +1030,52 @@ func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, er // Compute ∏ᵢ { ℓᵢ_{[6x₀+2]Q,π(Q)}(P) · ℓᵢ_{[6x₀+2]Q+π(Q),-π²(Q)}(P) } Q1, Q2 := new(G2Affine), new(G2Affine) //Q1 = π(Q) - Q1.X = *pr.Ext2.Conjugate(&Q.X) - Q1.X = *pr.Ext2.MulByNonResidue1Power2(&Q1.X) - Q1.Y = *pr.Ext2.Conjugate(&Q.Y) - Q1.Y = *pr.Ext2.MulByNonResidue1Power3(&Q1.Y) + Q1X := pr.Ext2.Conjugate(&Q.X) + Q1Y := pr.Ext2.Conjugate(&Q.Y) + Q1 = &G2Affine{ + X: *pr.Ext2.MulByNonResidue1Power2(Q1X), + Y: *pr.Ext2.MulByNonResidue1Power3(Q1Y), + } // Q2 = -π²(Q) - Q2.X = *pr.Ext2.MulByNonResidue2Power2(&Q.X) - Q2.Y = *pr.Ext2.MulByNonResidue2Power3(&Q.Y) - Q2.Y = *pr.Ext2.Neg(&Q2.Y) + Q2Y := pr.Ext2.MulByNonResidue2Power3(&Q.Y) + Q2 = &G2Affine{ + X: *pr.Ext2.MulByNonResidue2Power2(&Q.X), + Y: *pr.Ext2.Neg(Q2Y), + } // Qacc ← Qacc+π(Q) and // l1 the line passing Qacc and π(Q) Qacc, l1 = pr.addStep(Qacc, Q1) // line evaluation at P - l1.R0 = *pr.Ext2.MulByElement(&l1.R0, xNegOverY) - l1.R1 = *pr.Ext2.MulByElement(&l1.R1, yInv) + l1 = &lineEvaluation{ + R0: *pr.Ext2.MulByElement(&l1.R0, xNegOverY), + R1: *pr.Ext2.MulByElement(&l1.R1, yInv), + } // l2 the line passing Qacc and -π²(Q) l2 = pr.lineCompute(Qacc, Q2) // line evaluation at P - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY) - l2.R1 = *pr.MulByElement(&l2.R1, yInv) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY), + R1: *pr.MulByElement(&l2.R1, yInv), + } // ℓ × ℓ - prodLines = *pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) + prodLines = pr.Mul034By034(&l1.R0, &l1.R1, &l2.R0, &l2.R1) // (ℓ × ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) // precomputed-ℓ × precomputed-ℓ - prodLines = *pr.Mul034By034( + prodLines = pr.Mul034By034( pr.MulByElement(&pr.lines[0][65], x2OverY2), pr.MulByElement(&pr.lines[1][65], y2Inv), pr.MulByElement(&pr.lines[0][66], x2OverY2), pr.MulByElement(&pr.lines[1][66], y2Inv), ) // (precomputed-ℓ × precomputed-ℓ) × res - res = pr.MulBy01234(res, &prodLines) + res = pr.MulBy01234(res, prodLines) return res, nil } From 3f4ef17a0726062fd026a56c9e8b664446197679 Mon Sep 17 00:00:00 2001 From: Ivo Kubjas Date: Thu, 12 Oct 2023 01:04:23 +0200 Subject: [PATCH 4/5] chore: dereferences in sw_bls12381 --- std/algebra/emulated/sw_bls12381/pairing.go | 131 +++++++++++++------- 1 file changed, 86 insertions(+), 45 deletions(-) diff --git a/std/algebra/emulated/sw_bls12381/pairing.go b/std/algebra/emulated/sw_bls12381/pairing.go index 9f4996d457..e4622f84b9 100644 --- a/std/algebra/emulated/sw_bls12381/pairing.go +++ b/std/algebra/emulated/sw_bls12381/pairing.go @@ -150,7 +150,10 @@ func (pr Pairing) finalExponentiation(e *GTEl, unsafe bool) *GTEl { // the case, the result is 1 in the torus. We assign a dummy value (1) to e.C1 // and proceed further. selector1 = pr.Ext6.IsZero(&e.C1) - e.C1 = *pr.Ext6.Select(selector1, _dummy, &e.C1) + e = &fields_bls12381.E12{ + C0: e.C0, + C1: *pr.Ext6.Select(selector1, _dummy, &e.C1), + } } // Torus compression absorbed: @@ -358,15 +361,24 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { res.C0.B0 = *pr.MulByElement(&l1.R1, yInv[0]) res.C1.B1 = *pr.Ext2.One() // line evaluation at P[0] - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY[0]) - l2.R1 = *pr.MulByElement(&l2.R1, yInv[0]) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY[0]), + R1: *pr.MulByElement(&l2.R1, yInv[0]), + } // res = ℓ × ℓ - prodLines := *pr.Mul014By014(&l2.R1, &l2.R0, &res.C0.B0, &res.C0.B1) - res.C0.B0 = prodLines[0] - res.C0.B1 = prodLines[1] - res.C0.B2 = prodLines[2] - res.C1.B1 = prodLines[3] - res.C1.B2 = prodLines[4] + prodLines := pr.Mul014By014(&l2.R1, &l2.R0, &res.C0.B0, &res.C0.B1) + res = &fields_bls12381.E12{ + C0: fields_bls12381.E6{ + B0: *prodLines[0], + B1: *prodLines[1], + B2: *prodLines[2], + }, + C1: fields_bls12381.E6{ + B0: res.C1.B0, + B1: *prodLines[3], + B2: *prodLines[4], + }, + } for k := 1; k < n; k++ { // Qacc[k] ← 3Qacc[k], @@ -374,15 +386,19 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // l2 the line ℓ passing 2Q[k] and Q[k] Qacc[k], l1, l2 = pr.tripleStep(Qacc[k]) // line evaluation at P[k] - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY[k]) - l1.R1 = *pr.MulByElement(&l1.R1, yInv[k]) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l1.R1, yInv[k]), + } // line evaluation at P[k] - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY[k]) - l2.R1 = *pr.MulByElement(&l2.R1, yInv[k]) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l2.R1, yInv[k]), + } // ℓ × ℓ - prodLines = *pr.Mul014By014(&l1.R1, &l1.R0, &l2.R1, &l2.R0) + prodLines = pr.Mul014By014(&l1.R1, &l1.R0, &l2.R1, &l2.R0) // (ℓ × ℓ) × res - res = pr.MulBy01245(res, &prodLines) + res = pr.MulBy01245(res, prodLines) } @@ -397,8 +413,10 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // Qacc[k] ← 2Qacc[k] and l1 the tangent ℓ passing 2Qacc[k] Qacc[k], l1 = pr.doubleStep(Qacc[k]) // line evaluation at P[k] - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY[k]) - l1.R1 = *pr.MulByElement(&l1.R1, yInv[k]) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l1.R1, yInv[k]), + } // ℓ × res res = pr.MulBy014(res, &l1.R1, &l1.R0) } @@ -409,15 +427,19 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // l2 the line ℓ passing (Qacc[k]+Q[k]) and Qacc[k] Qacc[k], l1, l2 = pr.doubleAndAddStep(Qacc[k], Q[k]) // line evaluation at P[k] - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY[k]) - l1.R1 = *pr.MulByElement(&l1.R1, yInv[k]) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l1.R1, yInv[k]), + } // line evaluation at P[k] - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY[k]) - l2.R1 = *pr.MulByElement(&l2.R1, yInv[k]) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l2.R1, yInv[k]), + } // ℓ × ℓ - prodLines = *pr.Mul014By014(&l1.R1, &l1.R0, &l2.R1, &l2.R0) + prodLines = pr.Mul014By014(&l1.R1, &l1.R0, &l2.R1, &l2.R0) // (ℓ × ℓ) × res - res = pr.MulBy01245(res, &prodLines) + res = pr.MulBy01245(res, prodLines) } } } @@ -428,8 +450,10 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { // l1 the tangent ℓ passing 2Qacc[k] l1 = pr.tangentCompute(Qacc[k]) // line evaluation at P[k] - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY[k]) - l1.R1 = *pr.MulByElement(&l1.R1, yInv[k]) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY[k]), + R1: *pr.MulByElement(&l1.R1, yInv[k]), + } // ℓ × res res = pr.MulBy014(res, &l1.R1, &l1.R0) } @@ -725,15 +749,24 @@ func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, er res.C0.B0 = *pr.MulByElement(&l1.R1, yInv) res.C1.B1 = *pr.Ext2.One() // line evaluation at P - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY) - l2.R1 = *pr.MulByElement(&l2.R1, yInv) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY), + R1: *pr.MulByElement(&l2.R1, yInv), + } // res = ℓ × ℓ - prodLines := *pr.Mul014By014(&l2.R1, &l2.R0, &res.C0.B0, &res.C0.B1) - res.C0.B0 = prodLines[0] - res.C0.B1 = prodLines[1] - res.C0.B2 = prodLines[2] - res.C1.B1 = prodLines[3] - res.C1.B2 = prodLines[4] + prodLines := pr.Mul014By014(&l2.R1, &l2.R0, &res.C0.B0, &res.C0.B1) + res = &fields_bls12381.E12{ + C0: fields_bls12381.E6{ + B0: *prodLines[0], + B1: *prodLines[1], + B2: *prodLines[2], + }, + C1: fields_bls12381.E6{ + B0: res.C1.B0, + B1: *prodLines[3], + B2: *prodLines[4], + }, + } res = pr.MulBy014(res, pr.MulByElement(&pr.lines[1][62], y2Inv), @@ -758,8 +791,10 @@ func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, er // Qacc ← 2Qacc and l1 the tangent ℓ passing 2Qacc Qacc, l1 = pr.doubleStep(Qacc) // line evaluation at P - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY) - l1.R1 = *pr.MulByElement(&l1.R1, yInv) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY), + R1: *pr.MulByElement(&l1.R1, yInv), + } // ℓ × res res = pr.MulBy014(res, &l1.R1, &l1.R0) } else { @@ -776,15 +811,19 @@ func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, er // l2 the line ℓ passing (Qacc+Q) and Qacc Qacc, l1, l2 = pr.doubleAndAddStep(Qacc, Q) // line evaluation at P - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY) - l1.R1 = *pr.MulByElement(&l1.R1, yInv) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY), + R1: *pr.MulByElement(&l1.R1, yInv), + } // line evaluation at P - l2.R0 = *pr.MulByElement(&l2.R0, xNegOverY) - l2.R1 = *pr.MulByElement(&l2.R1, yInv) + l2 = &lineEvaluation{ + R0: *pr.MulByElement(&l2.R0, xNegOverY), + R1: *pr.MulByElement(&l2.R1, yInv), + } // ℓ × ℓ - prodLines = *pr.Mul014By014(&l1.R1, &l1.R0, &l2.R1, &l2.R0) + prodLines = pr.Mul014By014(&l1.R1, &l1.R0, &l2.R1, &l2.R0) // (ℓ × ℓ) × res - res = pr.MulBy01245(res, &prodLines) + res = pr.MulBy01245(res, prodLines) } } @@ -794,17 +833,19 @@ func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, er // l1 the tangent ℓ passing 2Qacc l1 = pr.tangentCompute(Qacc) // line evaluation at P - l1.R0 = *pr.MulByElement(&l1.R0, xNegOverY) - l1.R1 = *pr.MulByElement(&l1.R1, yInv) + l1 = &lineEvaluation{ + R0: *pr.MulByElement(&l1.R0, xNegOverY), + R1: *pr.MulByElement(&l1.R1, yInv), + } // ℓ × ℓ - prodLines = *pr.Mul014By014( + prodLines = pr.Mul014By014( &l1.R1, &l1.R0, pr.MulByElement(&pr.lines[1][0], y2Inv), pr.MulByElement(&pr.lines[0][0], x2OverY2), ) // (ℓ × ℓ) × res - res = pr.MulBy01245(res, &prodLines) + res = pr.MulBy01245(res, prodLines) // negative x₀ res = pr.Ext12.Conjugate(res) From ebedeb59d07021f5fe4d1ae3921245fd2314d0b1 Mon Sep 17 00:00:00 2001 From: Ivo Kubjas Date: Wed, 18 Oct 2023 18:42:09 +0200 Subject: [PATCH 5/5] chore: fix linter warning --- std/algebra/emulated/sw_bn254/pairing.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/std/algebra/emulated/sw_bn254/pairing.go b/std/algebra/emulated/sw_bn254/pairing.go index c62b624070..11b9ba7d75 100644 --- a/std/algebra/emulated/sw_bn254/pairing.go +++ b/std/algebra/emulated/sw_bn254/pairing.go @@ -560,7 +560,7 @@ func (pr Pairing) MillerLoop(P []*G1Affine, Q []*G2Affine) (*GTEl, error) { } // Compute ∏ᵢ { ℓᵢ_{[6x₀+2]Q,π(Q)}(P) · ℓᵢ_{[6x₀+2]Q+π(Q),-π²(Q)}(P) } - Q1, Q2 := new(G2Affine), new(G2Affine) + var Q1, Q2 *G2Affine for k := 0; k < n; k++ { //Q1 = π(Q) Q1X := pr.Ext2.Conjugate(&Q[k].X) @@ -1028,7 +1028,7 @@ func (pr Pairing) DoubleMillerLoopFixedQ(P, T *G1Affine, Q *G2Affine) (*GTEl, er } // Compute ∏ᵢ { ℓᵢ_{[6x₀+2]Q,π(Q)}(P) · ℓᵢ_{[6x₀+2]Q+π(Q),-π²(Q)}(P) } - Q1, Q2 := new(G2Affine), new(G2Affine) + var Q1, Q2 *G2Affine //Q1 = π(Q) Q1X := pr.Ext2.Conjugate(&Q.X) Q1Y := pr.Ext2.Conjugate(&Q.Y)